Last week we were talking about a major new software product that security giant Symantec Corp., hopes DoD, the feds and the private sector will buy to let workers use their own smartphones and other devices for work -- securely. It's still more than a year away, though, and there's no guarantee it'll work, or that the government will want to buy it. But service members and civilians are using their own smartphones and tablets now, today, meaning the Defense Department's top systems officials already have their work cut out.
This is tricky, because commands are finding many new ways to use their consumer-grade devices -- like the Marine aviators whose new best friend is the iPad -- so DoD officials want to allow that kind of adaptation, but make sure it doesn't pose a security threat. This is how an official DoD story broke it all down:
“Because of the pervasiveness of the [mobile computing] market, everyone has one, everyone wants one, but we often don’t look at how the device works -- we take it home and start loading pictures on it,” Robert E. Young, division chief of outreach and communications for the Defense-wide Information Assurance Program, said during a recent interview with the Pentagon Channel and American Forces Press Service. “We do want this innovation in the Department of Defense so we don’t want to say no,” he added, “but we want to do it safely and securely.”The story goes onto explain that, of course, there's a high-level commission looking at this issue from soup to nuts.
Issues that concern the department, Young said, include the huge memory capacities of some of the new smart devices and users’ general lack of knowledge about how smart phones and tablets work and how they could be compromised. “With all the different operating systems out there,” Young said, “every patch, every update changes each device and the vulnerabilities within [and users] are going to have to weigh that risk.”
Young said the department is evaluating how people are really using the devices -- whether they’re using smart phones to check email or tablets to read memorandums or policies. “What are you doing with the device? Is the camera disabled, are you taking pictures of people? I take a picture of you, I upload it and now you’re tagged and all of a sudden everyone knows where you are. So it leads to a digital footprint that connects to the device -- anywhere, anytime, any device,” he said. “In a split-second it’s up and online,” he added. “And once on the net -- always on the net.”
“We have a Commercial Mobile Device Working Group and we take best practices from [the Defense Advanced Research Projects Agency], the [Intelligence Advanced Research Projects Activity] and from our intelligence community partners” and share information, Young said. “In the working group we have Army, Navy, Air Force, Coast Guard, FBI, CIA,” he added, “ … so that as a federal government, with a federated response, we can go to the vendors and say, this is what we need.”Defense officials' experience with officially issued laptops is some help here, but there are crucial differences. Unlike a government computer, which administrators might be able to lock out remotely if an employee reports its loss, there may be nothing they can do if a worker admits losing an iPad that may have contained sensitive information. Sure, that's an extreme example -- why would your employee be carrying such data on his tablet in the first place? -- but there are likelier scenarios, too. Suppose a worker's Android phone is infected with malware, and she innocently plugs it into her work computer to charge and sync contacts. You can imagine the government IT workers turning green at the thought of thousands of unknown phones running unknown software being plugged into official computers, even when the workers doing it are being scrupulous about handling secure information.
The department also is working with DARPA and the Army on pilot programs for using mobile computing devices innovatively while also protecting information. “Is the data at risk; is it encrypted while it’s being worked on?” he said. “If you lose a device physically what are you going to do?”
It's a thorny problem, but DoD has no choice -- the mobile device genie is out of the bottle.